Thread: Salted Password Hash

For added security, it is a good idea to use a salted password hash. Below are a few methods that I use in my applications to create the salt and password hash.

Create Salt:

Code:

        Public Shared Function CreateSalt(ByVal size As Integer) As String
            ' Generate a cryptographic random number using the cryptographic
            ' service provider
            Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
            Dim buff As Byte() = New Byte(size) {}
            rng.GetBytes(buff)
 
            ' Return a Base64 string representation of the random number
            Return Convert.ToBase64String(buff)
        End Function

Create the salted password hash:

Code:

        Public Shared Function CreatePasswordHash(ByVal pwd As String, ByVal salt As String) As String
            Dim saltandPwd As String = String.Concat(pwd, salt)
            Dim hashedPwd As String = FormsAuthentication.HashPasswordForStoringInConfigFile(saltandPwd, "SHA1")
            hashedPwd = String.Concat(hashedPwd, salt)
 
            Return hashedPwd
        End Function

Required Database fields (2):
Salt varcharchar (200).
PasswordHash varchar (200).

To Use:
When creating a new user, call CreateSalt() to generate a new salt for the user. Then call CreatePasswordHash to hash the password and salt together.

When authenticating a user, retrieve the salt and hashed password from the database. Pass the password supplied from the user and the salt retrieved from the database through CreatePasswordHash(). Compare that value to the hashed password retrieved from the database.

That's it! Keep in mind, this all happens on the server side. Anything can be intercepted when sent from the client unless sent over a secure connection.

I tried using this code but when I attempt to log back in, it won't match the passwords. When I rehash the entered password using the Salt from the db it doesn't match the hashed password stored in the database.

I'm using MySQL with a VARCHAR (8) field for Salt and VARCHAR (48) field for password hash and have a stored procedure that adds the user to the db.

Am I missing something?

Hey rr,

Please post how you're using the above methods.

OK. When I add a user I have this:-

Code:

            Dim salt As String = CreateSalt(8)
                        Dim passwordHash As MySqlParameter = mycomm.Parameters.Add("passwordHash", MySqlDbType.VarChar)
                        passwordHash.Value = CreatePasswordHash(user.password, salt)
                        Dim psalt As MySqlParameter = mycomm.Parameters.Add("salt", MySqlDbType.VarChar)
                        psalt.Value = salt

CreateSalt

Code:

        Public Shared Function CreateSalt(ByVal size As Integer) As String
            ' Generate a cryptographic random number using the cryptographic
            ' service provider
            Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
            Dim buff As Byte() = New Byte(size) {}
            rng.GetBytes(buff)
            ' Return a Base64 string representation of the random number
            Return Convert.ToBase64String(buff)
        End Function

CreatePasswordHash

Code:

        Public Shared Function CreatePasswordHash(ByVal pwd As String, ByVal salt As String) As String
            Dim saltandPwd As String = String.Concat(pwd, salt)
            Dim hashedPwd As String = FormsAuthentication.HashPasswordForStoringInConfigFile(saltandPwd, "SHA1")
            hashedPwd = String.Concat(hashedPwd, salt)
            Return hashedPwd
        End Function

Then to check the password I have

Code:

      Public Shared Function CheckLogin(ByVal email As String, ByVal password As String) As UserBOL
          Dim result As New UserBOL
          Dim conn As New MySqlConnection(ConnDAL.connString)
          Dim mycomm As New MySqlCommand("SELECT userref,salt,passwordHash FROM users WHERE email=?email", conn)
          Dim rs As MySqlDataReader
          Using conn
              Using mycomm
                  Try
                      mycomm.Parameters.AddWithValue("email", email)
                      conn.Open()
                      rs = mycomm.ExecuteReader
                      If rs.HasRows Then
                          rs.Read()
                          If CreatePasswordHash(password, rs("salt")) = rs("passwordHash") Then
                              'authenticated
                              result.userref = rs("userref")
                          Else
 'It always ends up here
                              result.userref = 10
                              result.email = CreatePasswordHash(password, rs("salt"))
                          End If
                      Else
                          result.userref = 9
                      End If
                      rs.Close()
                  Catch ex As Exception
                      result.err = ex.ToString
                      result.userref = 11
                  Finally
                      mycomm.Dispose()
                      conn.Close()
                      conn.Dispose()
                  End Try
               End Using
           End Using
 
Return result
 
End Function
 

Okay RR...the problem is that I provided the field length for the salt based on the value (size) I was using. For size of 8 bytes, you need a salt field of 12 characters.

You will have to resize this field, create a new hash and then run this again. You will also have to resize the hashed password field. I will fix my first post.

Hey J

Not sure I quite get it.....I've changed the Salt field to 12 characters and the password hash to 52, but it still doesn't match....And only 8 characters are saved in the db for the Salt.

Have I misunderstood?

Originally Posted by richyrich

Hey J

Not sure I quite get it.....I've changed the Salt field to 12 characters and the password hash to 52, but it still doesn't match....And only 8 characters are saved in the db for the Salt.

Have I misunderstood?

Did you delete the record and recreate the user? Have you tried debugging using Visual Studio or Visual Web Developer to see what values you are comparing?

Yep. I removed the user and added them again.

I presume this doesn't change?

Code:

Dim salt as string = CreateSalt(8)

I still only get 8 characters saved in the Salt field.

What should I debug?...I have passed the hashed password back to the screen and I can see it doesn't match the password stored in the db.

Originally Posted by richyrich

Yep. I removed the user and added them again.

I presume this doesn't change?

Code:

Dim salt as string = CreateSalt(8)

I still only get 8 characters saved in the Salt field.

What should I debug?...I have passed the hashed password back to the screen and I can see it doesn't match the password stored in the db.

Have you changed the parameter size in the stored procedure and in VB.Net to the correct size?

OK. That seemed to sort it...

Thanks J...